Verus-Ethereum Bridge Hacked for $11.58M in Forged-Transfer Exploit

An attacker drained $11.58 million from the Verus-Ethereum cross-chain bridge on May 18, 2026, by submitting a forged transfer message that passed the bridge’s verification checks while depositing nearly zero real value.

The exploit, first flagged by on-chain security firm Blockaid, targeted a gap between what the bridge’s smart contracts proved and what they actually paid out. 

The attack exposed a class of vulnerability that security researchers say has cost the broader DeFi sector hundreds of millions of dollars since 2022.

How a $10 Transaction Drained $11.58 Million

The attacker spent approximately $10 in VRSC fees. For that cost, they received $11.58 million in return.

Blockaid described the root cause as “a missing source-amount validation in checkCCEValues,” saying it was not an ECDSA bypass, not a notary key compromise, and not a parser or hash-binding bug. 

In plain terms: the bridge verified signatures correctly but never confirmed that the source-chain transaction actually locked matching funds.

The attacker built a transaction committing to a payout blob with empty source-side totals. Verus accepted it as legitimate. 

Eight of fifteen notaries cryptographically signed the resulting state root. 

The attacker then submitted that signed proof to the Ethereum bridge contract via submitImports(). 

The bridge verified the proof, decoded the blob, and paid out $11.58 million from its reserves.

Security firm ExVul reached the same conclusion, saying the attacker used a “forged cross-chain import payload” that passed the bridge’s verification flow and triggered three separate transfers to a drainer wallet.

Blockaid said the incident resembles the $190 million Nomad Bridge exploit and the $325 million Wormhole exploit from 2022, where fraudulent transfer instructions tricked protocols into releasing reserve funds.

What Was Taken and Where the Funds Went

PeckShield reported the bridge lost 103.6 tBTC, 1,625 ETH, and 147,000 USDC. The attacker quickly swapped the stolen assets into approximately 5,402 ETH, valued at roughly $11.4 million at current market prices.

PeckShield also revealed that the attacker’s wallet was initially funded through Tornado Cash, the crypto mixing service often associated with anonymous transactions. 

That funding occurred approximately 14 hours before the drain. 

The stolen funds remain parked at address 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9, according to on-chain data.

At the time of publication, the Verus team had not publicly confirmed the exploit. Cointelegraph said it reached out to the protocol without receiving a response.

Eighth Bridge Hack of 2026 as DeFi Losses Pile Up

The Verus incident did not arrive in isolation.

THORChain confirmed a separate $10 million exploit just three days before the Verus attack, adding to mounting concerns about bridge and interoperability infrastructure across the DeFi sector.

The Verus exploit is the eighth incident involving bridge platforms in 2026. Attackers targeting bridges have made off with at least $328 million this year, according to PeckShield.

April 2026 set the year’s benchmark, with protocols losing more than $606 million across 12 incidents. The KelpDAO bridge drain accounted for $292 million, making it 2026’s largest single hack to date.

Blockaid said the fix for the Verus vulnerability would require approximately ten lines of Solidity code inside the checkCCEValues function. ExVul added broader recommendations: bridges should add strict payload-to-execution validation, layered verification around proof checks, and emergency pause mechanisms for unusual outbound transfers.

Verus’s native token VRSC showed little reaction to the news. Data from CoinGecko shows it was largely flat on the day of the hack, though it has lost close to 73% of its value over the past year.

What Comes Next

• Recovery and reimbursement: Verus-Ethereum Bridge users await information from the project team about potential reimbursements, recovery efforts, and upcoming security measures. No timeline has been announced.
• Stolen funds tracking: The consolidated 5,402 ETH wallet remains publicly visible on Etherscan. Law enforcement or exchange cooperation could freeze assets if the attacker attempts to cash out.

Bridge security reform: Blockaid’s technical report, published May 18, 2026, outlines the specific Solidity fix needed to close the checkCCEValues gap.